Network security devices are designed to be put in the data path of the network traffic in order to inspect and control the network traffic. A popular way to deploy network security is so called “bump-in-the-wire” that the devices are deployed in the data path for security inspection. However, it may not be practical to deploy security devices on every data path of network traffic in a data center. There are also needs to be able to flexibly perform security inspection on different parts of networks. The traditional bump-in-the-wire deployment cannot fulfill the needs.